Sonarqube
SonarQube shows application health and highlights newly introduced issues.
SonarQube
SonarQube is an on-premise analysis tool designed to detect coding issues in 30+ languages, frameworks, and IaC platforms.
Supported Language (20240809)
Community Edition Developer Edition Enterprise and Data Center Editions Java All languages in Community Edition plus… All languages in Developer Edition plus… C# C APEX JavaScript C++ COBOL TypeScript Obj-C JCL Kotlin Swift PL/I CloudFormation ABAP RPG Terraform T-SQL VB6 Docker PL/SQL Kubernetes Helm Charts Ruby Go Scala Flex Python PHP HTML CSS XML VB.NET Azure Resource Manager
Rules
https://rules.sonarsource.com/
TODO
- Install SornarQube in k8s (helm chart,community edition v10.6)
- Install Gitlab-runner in k8s (check status)
- Write sonar-project.properties for terraform repo
- Rewrite terraform .gitlab-ci.yml
- Check CI Pipeline Status
Event Flow
SonarQube in CI Flow
Installation
- Docker
- K8s
helm repo add sonarqube https://SonarSource.github.io/helm-chart-sonarqube helm repo update helm install sonarqube sonarqube/sonarqube \ --namespace sonarqube \ --set ingress-nginx.enabled=false \ --set postgresql.enabled=true \ --set initSysctl.enabled=true \ --set initFs.enabled=true \ --set service.type=NodePort
Server
SonarQube
http://10.1.5.201:32275/
admin | admin
ubuntu | ubuntu
Scanner-CLI
- Install
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.1.0.4477-linux-x64.zip unzip sonar-scanner-cli-6.1.0.4477-linux-x64.zip - Add cmd path
sudo mv sonar-scanner-6.1.0.4477-linux-x64 /usr/local/sonar-scanner sudo ln -s /usr/local/sonar-scanner/bin/sonar-scanner /usr/local/bin/sonar-scanner - Check
sonar-scanner --version
Run scanner in repo
- Create sonar-project.properties
sonar.projectKey=<projectKey from sonarqube when creating project> sonar.qualitygate.wait=true sonar.projectVersion=1.0 sonar.sources=. sonar.language=terraform sonar.host.url=http://10.1.5.201:32275 sonar.login=<login token from sonarqube when creating project> - Run
sonar-scanner
Integrate with gitlabci
Gitlab Runner
- Get values.yaml
helm show values gitlab/gitlab-runner > values_gitlab-runner.yaml - Get all helm Chart
helm pull gitlab/gitlab-runner --untar - Create namespace
kubectl create ns gitlab - Change
helm chart values.yaml
gitlabUrl: https://gitlab.com/ runnerRegistrationToken: "<your runner registed token from gitlab>" checkInterval: 30 - Create for rbac
gitlab-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gitlab-runner-cluster-role rules: - apiGroups: [""] resources: ["pods", "pods/logs", "pods/exec", "pods/attach"] verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gitlab-runner-cluster-role-binding subjects: - kind: ServiceAccount name: default namespace: gitlab roleRef: kind: ClusterRole name: gitlab-runner-cluster-role apiGroup: rbac.authorization.k8s.iokubectl apply -f gitlab-rbac.yaml - Create gitlab runner in k8s
helm install gitlab-runner gitlab/gitlab-runner -ngitlab -f values_gitlab-runner.yaml
Gitlab CI
Take terraform for example
stages:
- format
- validate
- sonarqube-check
format-job:
stage: format
image:
name: hashicorp/terraform:1.9
entrypoint: [""]
script:
- terraform fmt
validate-job:
stage: validate
image:
name: hashicorp/terraform:1.9
entrypoint: [""]
script:
- terraform init
- terraform validate
sonarqube-check:
stage: sonarqube-check
image:
name: sonarsource/sonar-scanner-cli:11.0
entrypoint: [""]
script:
- sonar-scanner
Conclusion
- 透過 SonarQube 除了可以使用其原生提供的檢查機制之外,還可以整合 tflint or golangci-lint 的報告 (需先產生報告,接著 sonar-scanner 會吃此檔案)
- SonarQube 優質的 UI 可以讓開發者好追蹤 Code 問題
- 將 sonar-scanner 的失敗回傳,可以使 gitlab ci pipeline 停止 (需確認)